Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

DarkianZ's avatar

Making a secure contact form PHP

Hello everyone, im trying to secure my contact form and i wanted to know how to do it. I want to prevent bots,spam, or injections on it, that's why i saw many ways of doing it but still don't understand it.

<?php 

if(isset($_POST['submit'])){


$mailto = "[email protected]"; // EMAIL
$fname = $_POST['firstName']; //getting name
$lname = $_POST['lastName']; //getting name
$fromEmail = $_POST['email']; //getting name
$phone = $_POST['phone']; //phone number
$subject = $_POST['message']; //message client
$subject2 = "Confirmation: Message was submitted successfully";// for confirmation
 

// Email i receive

$message = "Client Name: " . $fname . $lname . "\n" 
. "Phone Number: " . $phone . "\n\n" 
. "Client Message: " . "\n" 
. $_POST['message'];


// Message for client

$message2 = "Dear" . $fname . "\n"
. "Thank you for contacting us. We will reply you as soon as we can" . "\n\n"
. "You submitted the following message: " . "\n" . $_POST['message'] . "\n\n"
. "Regards," . "\n" . "ENTREPRISE";

// EMAIl HEADERS

$headers = "From: " . $fromEmail; // Client email i will receive
$headers2 = "From: " . $mailto; // This will receive client


//PHP MAIL FUNCTION

$result1 = mail($mailto, $subject, $message, $headers);
$result2 = mail($fromEmail, $subject2, $message2, $headers2);

// CHECK EMAIL VERIFICATION

if ($result1 && $result2) {
    $success = "Your Message was sent Successfully!";
} else {
    $failed = "Sorry! Message was not sent, Try again Later.";
}

}


?>

I have this one too from an old project, but i don't know if it can be used .



<?php
function IsInjected($str)
{
    $injections = array('(\n+)',
           '(\r+)',
           '(\t+)',
           '(%0A+)',
           '(%0D+)',
           '(%08+)',
           '(%09+)'
           );
               
    $inject = join('|', $injections);
    $inject = "/$inject/i";
    
    if(preg_match($inject,$str))
    {
      return true;
    }
    else
    {
      return false;
    }
}

if(IsInjected($visitor_email))
{
    echo "Bad email value!";
    exit;
}
?>

I think i have to do a validation for each input on the form, but don't know how it works and how it's supposed to protect my form from attacks.

i've been working on this example but i don't know how to adapt it to my own.


<?php
  if(isset($_POST['submit'])){
    $name = htmlspecialchars(stripslashes(trim($_POST['name'])));
    $subject = htmlspecialchars(stripslashes(trim($_POST['subject'])));
    $email = htmlspecialchars(stripslashes(trim($_POST['email'])));
    $message = htmlspecialchars(stripslashes(trim($_POST['message'])));
    if(!preg_match("/^[A-Za-z .'-]+$/", $name)){
      $name_error = 'Invalid name';
    }
    if(!preg_match("/^[A-Za-z .'-]+$/", $subject)){
      $subject_error = 'Invalid subject';
    }
    if(!preg_match("/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/", $email)){
      $email_error = 'Invalid email';
    }
    if(strlen($message) === 0){
      $message_error = 'Your message should not be empty';
    }
  }
?>

Thanks in advance ! :D

0 likes
1 reply
Snapey's avatar

You are not using any framework?

Please or to participate in this conversation.